Stanford Vulnerability Allowed Students to View Other Students' Data

Between Jan. 28 and 29, the student briefly accessed the records of 81 students while trying to assess the scope of the vulnerability. The documents were not searchable by name, but were instead accessible by changing a numeric ID in a URL.

By Jessica Davis

February 20, 2019

The Stanford Daily has reported that a now-fixed security vulnerability allowed Stanford students to view the applications and high school transcripts if they first requested to view their own admission documents under the Family Educational Rights and Privacy Act (FERPA).

The vulnerability was discovered by a student who recently submitted a FERPA request for their own documents in a third-party content management system called NolijWeb.

Between Jan. 28 and 29, the student briefly accessed the records of 81 students while trying to assess the scope of the vulnerability. The documents were not searchable by name, but were instead accessible by changing a numeric ID in a URL.

When a student views one of their files, the URLs and files are linked through numeric IDs. While the vulnerability didn’t allow students to search documents by name or other identifying information, they could change file ID numbers in URLs to access arbitrary students’ files.

“It wasn’t anything sophisticated,” the student said of their methods. The student said anyone with experience in web development could have easily exploited the vulnerability. “You change the ID slightly and it just gives you someone else’s records.”

According to university spokesperson Brad Hayward, Stanford has not identified other “instances of unauthorized viewing” but is still reviewing the situation. The university will notify the students whose privacy was compromised because of the security flaw.

“We regret this vulnerability in our system and apologize to those whose records were inappropriately viewed,” Hayward wrote in an email to The Daily. “We have worked to remedy the situation as quickly as possible and will continue working to better protect our systems and data.”

Stanford has notified Nolij’s parent company Hyland Software. It’s not clear how many schools using NolijWeb could be subject to the vulnerability.